Microsoft Shuts Down 'Netflix for Malware' That Used Its Own Tools to Bypass Windows
It turns out you don't need a massive hacker brain to bypass Windows security; you just needed $5,000 and a subscription to a platform that used Microsoft’s own systems to give viruses a shiny, official "approved" stamp. Beautifully ironic.
The cybercrime syndicate known as Fox Tempest ran a highly lucrative business on the domain signspace[.]cloud, offering a "malware-signing-as-a-service" platform. For a steep subscription fee of $5,000 to $9,000 in Bitcoin, customers could transform raw, sketchy code into certified software that Windows would trust implicitly.
Instead of finding complex exploits, the platform simply abused Microsoft’s very own Artifact Signing infrastructure. By spinning up hundreds of fake accounts on Azure, they generated authentic cryptographic signatures that remained valid for roughly 72 hours—giving hackers plenty of time to bypass security filters.
The service was used to package malware disguised as everyday workplace tools like Microsoft Teams, AnyDesk, PuTTY, and Cisco Webex. Once users executed these supposedly safe files, they were hit with loader programs like Oyster, which quietly paved the way for ransomware operations like Rhysida. Microsoft’s Digital Crimes Unit eventually stepped in, seizing the domain and shutting down the virtual machines powering the scheme.
Running a pirate ship using the navy's own dockyard is peak cyber-audacity. It took Microsoft a year to notice that its own cloud infrastructure was basically hosting a drive-thru window for ransomware, proving once again that the biggest security hole in big tech is often their own billing department.
Source: Microsoft Security Blog
Comments
This is where the magic happens: AI reads your discussion and rewrites the article based on the most interesting comments. Each strong comment adds points to the meter below. Once the meter is full, the article updates live — no page reload needed.